b"Report No. D-2009-104                    September 21, 2009\n\n\n\n\n      Sanitization and Disposal of Excess Information\n                   Technology Equipment\n\x0cAdditional Information and Copies\nTo obtain additional copies of this report, visit the Web site of the Department of Defense\nInspector General at http://www.dodig.mil/audit/reports or contact the Secondary Reports\nDistribution Unit at (703) 604-8937 (DSN 664-8937) or fax (703) 604-8932.\n\nSuggestions for Audits\nTo suggest or request audits, contact the Office of the Deputy Inspector General for\nAuditing by phone (703) 604-9142 (DSN 664-9142), by fax (703) 604-8932, or by mail:\n\n                      ODIG-AUD (ATTN: Audit Suggestions)\n                      Department of Defense Inspector General\n                      400 Army Navy Drive (Room 801)\n                      Arlington, VA 22202-4704\n\n\n\n\nAcronyms and Abbreviations\nAFB                           Air Force Base\nASD (NII)/DOD CIO             Assistant Secretary of Defense (Networks and Information\n                                Integration)/DOD Chief Information Officer\nDRMS                          Defense Reutilization and Marketing Service\nIT                            Information Technology\nNAS                           Naval Air Station\nNAVAIR                        Naval Air Systems Command\nNAVFAC                        Naval Facilities Engineering Command\nNAWCAD                        Naval Air Warfare Center Aircraft Division\nUSACE                         U.S. Army Corps of Engineers\n\x0c                                      INSPECTOR GENERAL\n                                     DEPARTMENT OF DEFENSE\n                                       400 ARMY NAVY DRIVE\n                                  ARLINGTON , VIRGINIA 22202-4704\n\n\n                                                                               September 21, 2009\n\n\n\nMEMORANDUM FOR DISTRIBUTION\n\nSUBJECT: Sanitization and Disposal of Excess Information Technology Equipment\n         (Report No. D-2009-104)\n\nWe are providing this final report for review and comment. We considered comments from the\nAssistant Secretary of Defense (Networks and Information Integration)/DOD Chief Information\nOfficer; ChiefInformation Officer, Department of the Navy; Director of Corporate Information,\nU.S. Army Corps of Engineers; and Commander, U.S. Army Corps of Engineers Louisville\nDistrict, when preparing the final report. The Commander, 436th Medical Group, Dover Air\nForce Base, and the Commander, 50th Space Communications Squadron, Schriever Air Force\nBase, did not respond to the draft report. The complete text of the comments is in the\nManagement Comments section of the report.\n\nDOD Directive 7650.3 requires all recommendations be resolved promptly. The Assistant\nSecretary of Defense (Networks and Information Integration)/DOD Chief Information Officer's\ncomments on Recommendation 1 and the Navy ChiefInformation Officer and Commander,\nNaval Air Warfare Center Aircraft Division, comments on Recommendations 3, 4, 6.a, 6.b,\nand 6.c were responsive and require no further comments. The Navy ChiefInformation Officer\nand Commander, Naval Air Warfare Center Aircraft Division, comments on\nRecommendation 6.d and the comments of the Director of Corporate Information, U.S. Army\nCorps of Engineers, on Recommendation 2 were not responsive because the actions proposed\nwill not fully resolve the issues identified. The comments of the Commander, U.S. Army Corps\nof Engineers Louisville District, on Recommendation 5 were not responsive because he did not\nindicate which electronic record-keeping system would be used to track hard drives containing\nsensitive information that are removed from their computer shells. Therefore, we request\ncomments as indicated in the recommendations table on page ii by October 21 , 2009.\n\nPlease provide comments that conform to the requirements of DOD Directive 7650.3. If\npossible, send a .pdffile containing your comments to audros@dodig.mil. Copies of your\ncomments must have the actual signature of the authorizing official for your organization. We\nare unable to accept the I Signed I symbol in place of the actual signature. If you arrange to send\nclassified comments electronically, you must send them over the SECRET Internet Protocol\nRouter Network (SIPRNET).\n\nWe appreciate the courtesies extended to the staff. Please direct questions to me at (703) 604-\n8905 (DSN 664-8905).\n\n\n\n\n                                            (~~\n                                             Assistant Inspector General\n                                             Readiness, Operations, and Support\n\x0cDISTRIBUTION:\n\n\nUNDER SECRETARY OF DEFENSE FOR ACQUISITION, TECHNOLOGY, AND\n   LOGISTICS\nASSISTANT SECRETARY OF DEFENSE (NETWORKS AND INFORMATION\n   INTEGRATION)/DOD CHIEF INFORMATION OFFICER\nASSISTANT SECRETARY OF THE AIR FORCE (FINANCIAL MANAGEMENT\n   AND COMPTROLLER)\nDIRECTOR, DEFENSE LOGISTICS AGENCY\n      DIRECTOR, DEFENSE REUTILIZATION AND MARKETING SERVICE\nNAVAL INSPECTOR GENERAL\nAUDITOR GENERAL, DEPARTMENT OF THE ARMY\nDIRECTOR OF CORPORATE INFORMATION, U.S. ARMY CORPS OF\n   ENGINEERS\nCOMMANDER, U.S. ARMY CORPS OF ENGINEERS LOUISVILLE DISTRICT\nCOMMANDER, U.S. ARMY GARRISON WEST POINT\n      DIRECTOR OF LOGISTICS, U.S. ARMY GARRISON WEST POINT\nCOMMANDER, NAVAL AIR SYSTEMS COMMAND\n      COMMANDER, NAVAL WARFARE CENTER AIRCRAFT DIVISION\n      COMMANDER, NAVAL FACILITIES ENGINEERING COMMAND\nCOMMANDER, 436TH MEDICAL GROUP, DOVER AIR FORCE BASE\nCOMMANDER, 50TH NETWORK OPERATIONS GROUP, SCHRIEVER AIR\n   FORCE BASE\n      COMMANDER, 50TH SPACE COMMUNICATIONS SQUADRON\nCOMMANDER, 21ST SPACE WING COMMAND, PETERSON AIR FORCE BASE\nCOMMANDER, 108TH AIR REFUELING WING, MCGUIRE AIR FORCE BASE\n      COMMANDER, 108TH COMMUNICATIONS FLIGHT\n      COMMANDER, 108TH LOGISTICS READINESS SQUADRON\n\x0cReport No. D-2009-104 (Project No. D2008-D000LC-0064.000)          September 21, 2009\n\n\n             Results in Brief: Sanitization and Disposal of\n             Excess Information Technology Equipment\nWhat We Did                                             As a result, four DOD Components could not\n                                                        ensure personally identifiable information or\nWe determined whether DOD Components\n                                                        other sensitive DOD information was protected\nsanitized and disposed of excess unclassified\n                                                        from unauthorized release, and one DOD\ninformation technology (IT) equipment in\n                                                        Component could not account for an excess\naccordance with Federal and DOD\n                                                        unclassified computer.\nrequirements. We also determined whether the\nDefense Reutilization and Marketing Service\n(DRMS) disposed of excess IT equipment in               What We Recommend\naccordance with security requirements; and              We recommended that:\nwhether the Army, Navy, and Air Force                     \xef\x82\xb7 the Assistant Secretary of Defense\nproperly safeguarded sensitive information on                 (Networks and Information\nexcess unclassified IT equipment. We visited                  Integration)/DOD Chief Information\n6 DOD Components, 9 DRMS processing                           Officer and the Deputy Chief of Naval\ncenters, and 2 contractors and selected a non-                Operations for Communications\nstatistical sample 543 of 4,105 pieces of excess              Networks update current sanitization and\nunclassified IT equipment.                                    disposal policies to ensure they address\n                                                              current technology issues;\nWhat We Found                                             \xef\x82\xb7 the Department of the Navy Chief\nDOD Components\xe2\x80\x99 internal controls were not                    Information Officer establish and\nadequate. Specifically, DOD Components did                    implement a clear, detailed policy for\nnot properly sanitize, document, or fully account             sanitizing and disposing of excess IT\nfor excess unclassified IT equipment before                   equipment including electronic storage\nreleasing the equipment to other organizations.               devices; and\nFurthermore, DRMS processing centers                      \xef\x82\xb7 DOD Components sanitize and account\nprocessed excess unclassified IT equipment for                for excess unclassified IT equipment in\ndisposal or redistribution without proof that                 accordance with applicable laws and\nequipment had been properly sanitized.                        regulations.\n\nThese instances of nonperformance occurred              Management Comments and\nbecause DOD Components did not follow                   Our Responses\npolicies, adequately train personnel, or develop        The Commander, 436th Medical Group, and the\nand implement site-specific procedures to               Commander, 50th Space Communications\nensure excess unclassified equipment was                Squadron, did not provide comments on the\nsanitized and disposed of properly.                     draft report issued on June 25, 2009. We\nAdditionally, DOD guidance issued by the                request comments from them on the final report\nAssistant Secretary of Defense (Networks and            by October 21, 2009. Management comments\nInformation Integration)/DOD Chief                      we received were partially responsive. We\nInformation Officer and the Navy Chief                  request additional comments from the\nInformation Officer was out of date and did not         responding organizations as indicated in the\ncover sanitizing and disposing of new types of          recommendations table on the back of this page.\ninformation storage devices.\n\n\n                                                    i\n\x0cReport No. D-2009-104 (Project No. D2008-D000LC-0064.000)     September 21, 2009\n\n\n\n\nRecommendations Table\n\nManagement                                      Recommendations       No Additional\n                                                Requiring Comment     Comments Required\nAssistant Secretary of Defense (Networks and                          1\nInformation Integration)/DOD Chief\nInformation Officer\nDirector of Corporate Information, U.S. Army    2\nCorps of Engineers\nDepartment of the Navy Chief Information        6.d                   3\nOfficer\nDeputy Chief of Naval Operations for                                  4\nCommunications Networks\nCommander, U.S. Army Corps of Engineers         5.a and 5.b\nLouisville District\nCommander, Naval Air Warfare Center Aircraft    6.d                   6.a; 6.b; and 6.c\nDivision\nCommander, 436th Medical Group, Dover Air       7.a and 7.b\nForce Base\nCommander, 50th Space Communications            7.a and 7.b\nSquadron, Schriever Air Force Base\n\nPlease provide comments by October 21, 2009.\n\n\n\n\n                                           ii\n\x0cTable of Contents\n\nResults in Brief                                                                i\n\nIntroduction                                                                    1\n\n       Objectives                                                               1\n       Background                                                               1\n       Review of Internal Controls                                              3\n\nFinding. Protecting Sensitive Information and Accounting\n  for Excess Information Technology Equipment                                   4\n\n       Recommendations, Management Comments, and Our Response                   13\n\nAppendices\n\n       A. Scope and Methodology                                                 19\n              Prior Coverage                                                    21\n       B. Label Certifying Hard Drive Disposition                               22\n       C. Immediate Action Memoranda to DOD Components                          23\n\nManagement Comments\n\n       Assistant Secretary of Defense (Networks and Information Integration)/\n        DOD Chief Information Officer                                           38\n       Department of the Navy Chief Information Officer                         39\n       U.S. Army Corps of Engineers Directorate of Corporate Information        43\n       U.S. Army Corps of Engineers Louisville District                         44\n\x0cIntroduction\nObjectives\nOur audit objective was to determine whether DOD Components sanitized and disposed\nof excess unclassified information technology (IT) equipment1 in accordance with\nFederal and DOD regulations. We also determined whether the Army, Navy, and Air\nForce properly safeguarded sensitive information on excess unclassified IT equipment by\nsanitizing and accounting for the equipment before forwarding it to Defense Reutilization\nand Marketing Service (DRMS) and whether the DRMS disposed of excess IT equipment\nin accordance with DOD requirements. See Appendix A for a discussion of the scope and\nmethodology and prior coverage related to the objective.\n\nBackground\nDOD Guidance\nThe Assistant Secretary of Defense for Command, Control, Communication, and\nIntelligence2 Memorandum, \xe2\x80\x9cDisposition of Unclassified DOD Computer Hard Drives\xe2\x80\x9d\n(Disposition Memorandum), June 4, 2001, states that no information is to remain on\nunclassified IT equipment hard drives that are reused or permanently removed from DOD\ncustody. The Disposition Memorandum outlines three acceptable methods for hard drive\nsanitization:\n\n    \xef\x82\xb7    Overwriting the hard drive by using software that replaces previously stored hard\n         drive data with meaningless information. Only this method enables a hard drive\n         to be redistributed for reuse.\n\n    \xef\x82\xb7    Degaussing a hard drive by demagnetizing it using a National Security Agency\n         approved degausser. Properly applied, degaussing renders data on the hard drive\n         unreadable. After degaussing, hard drives can seldom be used.\n\n    \xef\x82\xb7    Physically destroying a hard drive to ensure it is not usable in a computer and that\n         no data can be recovered or read. Sufficient force is applied to the top of the hard\n         drive unit to damage the disk surface. In addition, connectors that interface with\n         the computer must be mangled, bent, or damaged to the point that the hard drive\n         cannot be reconnected without significant rework. Before a hard drive is\n         physically destroyed, it should be overwritten or degaussed. This method results\n         in the hard drive being unusable.\n\n\n\n\n1\n IT equipment that processed or contained unclassified information.\n2\n The Assistant Secretary of Defense for Command, Control, Communication, and Intelligence used to\nfulfill Chief Information Officer duties; those duties now belong to the Assistant Secretary of Defense\n(Networks and Information Integration)/DOD Chief Information Officer.\n\n\n                                                     1\n\x0cIn addition, the Disposition Memorandum requires DOD Components to complete a\ndisposition label certifying that sanitization has been performed. The completed\ndisposition label must be attached to the hard drive or the computer housing the hard\ndrive. The disposition label details basic information about the DOD Component,\ncomputer, and hard drive; the method and software used to sanitize the hard drive, if\napplicable; the method for destroying the hard drive, if applicable; and the signature and\ncontact information for the DOD Component personnel that performed the sanitization.\n\nDOD Components send their excess IT equipment to DRMS processing centers. DRMS\nprocessing centers make excess IT equipment available to another DOD Component,\nanother Federal agency, or a school or other nonprofit organization; sell it to the public;\nor destroy it.\n\nDOD Components are required to sanitize excess or surplus unclassified IT equipment in\naccordance with the Disposition Memorandum before sending it to a DRMS processing\ncenter. DRMS is responsible for training DOD Components on turn-in procedures,\nincluding inspecting and classifying property, verifying identity and quantity on disposal\ndocumentation, and maintaining property accountability for and control of excess\nequipment.\n\nBased on the DOD Directive 8100.01, \xe2\x80\x9cGlobal Information Grid Overarching Policy,\xe2\x80\x9d\nNovember 21, 2003, definition of IT equipment,3 we identified the following as IT\nequipment: computers (desktops and laptops), external/auxiliary hard drives, printers,\nscanners, cell phones, personal digital assistants, removable storage devices (such as\nthumb drives, moving picture experts group audio layer III [mp3] players, diskettes,\ncompact discs, digital video discs, and subscriber identity module cards). During\nFYs 2007 and 2008, DOD disposed of 340,349 pieces of useable IT equipment and\n57,485,000 pounds of scrap IT equipment.\n\nDOD Instruction 5000.64, \xe2\x80\x9cAccountability and Management of DOD Owned Equipment\nand Other Accountable Property,\xe2\x80\x9d November 2, 2006, requires that an electronic property\nreceipt record be maintained throughout the property\xe2\x80\x99s life cycle regardless of its status\n(acquisition, in-service, unserviceable, obsolete, excess, surplus) or physical location. To\naccount for the IT assets, this Instruction also requires that excess unclassified IT\nequipment with a unit acquisition cost of $5,000 or more, or equipment that is considered\nto be sensitive, be accounted for in an electronic record-keeping system until the activity\nreceiving the equipment confirms its receipt in writing.\n\nIndustry Sanitization Guidelines\nThe National Institute of Standards and Technology is responsible for developing\nstandards and guidelines for providing adequate information security for all Federal\n\n\n3\n DOD Directive 8100.01 defines IT equipment as any equipment or interconnected system or subsystem of\nequipment that is used in the automatic acquisition, storage, manipulation, management, movement,\ncontrol, display, switching, interchange, transmission, or reception of data or information by a DOD\nComponent.\n\n\n                                                 2\n\x0cagency operations and assets. National Institute of Standards and Technology Special\nPublication 800-88, \xe2\x80\x9cGuidelines for Media Sanitization,\xe2\x80\x9d September 2006, outlines\nspecifications for the:\n\n   \xef\x82\xb7   sanitization and disposal of information storage devices based on ownership;\n   \xef\x82\xb7   overwriting, degaussing, and destruction of excess information storage devices;\n       and\n   \xef\x82\xb7   completion of sanitization, disposition, and accountability documents.\n\nNational Institute of Standards and Technology Special Publication 800-88 requires\norganizations to develop and use local policies and procedures in conjunction with this\npublication to decide the method of sanitization and disposition of information storage\ndevices.\n\nReview of Internal Controls\nAt the sites visited, we identified internal control weaknesses as defined by DOD\nInstruction 5010.40, \xe2\x80\x9cManagers\xe2\x80\x99 Internal Control (MIC) Program Procedures,\xe2\x80\x9d January 4,\n2006. DOD Components and DRMS processing centers did not follow relevant DOD\npolicies, adequately train personnel, or develop and implement site-specific procedures to\nensure excess unclassified IT equipment was properly sanitized and accounted for. In\naddition, DOD and Navy policies governing the sanitization of excess IT equipment were\noutdated. Implementing Recommendations 1 through 7 will improve DOD sanitization\nand disposal processes. We will provide a copy of this report to the senior officials\nresponsible for internal controls for the Assistant Secretary of Defense (Networks and\nInformation Integration)/DOD Chief Information Officer (ASD[NII])/DOD CIO) and the\nArmy, Navy, and Air Force.\n\n\n\n\n                                            3\n\x0cFinding. Protecting Sensitive Information\nand Accounting for Excess Information\nTechnology Equipment\nDOD Components did not properly sanitize, document, or fully account for excess\nunclassified IT equipment before it was released to other Federal, DOD, or non-Federal\norganizations. In addition, DRMS processing centers processed excess unclassified IT\nequipment without documentation that the equipment was properly sanitized. DOD\nComponents and DRMS processing centers fell short because they did not follow DOD\npolicies, adequately train personnel, or develop and implement site-specific procedures to\nensure excess unclassified IT equipment was properly accounted for and sanitized.\nFurthermore, DOD and Navy policies governing the sanitization of excess IT equipment\nare outdated. As a result, four DOD Components could not ensure that personally\nidentifiable information or other sensitive DOD information was protected from\nunauthorized release, and one DOD Component could not account for an excess\nunclassified computer.\n\nProcessing Excess Unclassified IT Equipment\nDOD Components are required to sanitize excess IT equipment before disposal to protect\nsensitive DOD information, as well as other sensitive information such as personally\nidentifiable information, from public disclosure. Public disclosure of this information\ncan cause harm to DOD and its operations and potentially to individuals whose personal\ninformation has been compromised. Therefore, this process is required to be adequately\ndocumented to ensure required procedures have been followed. Finally, DOD\nComponents are also required to properly maintain and account for IT equipment\nthroughout its life cycle.\n\nSanitizing Excess Unclassified IT Equipment\nDOD Components did not properly sanitize IT equipment before processing it for reuse,\ntransfer, donation, or destruction in accordance with the Disposition Memorandum. The\nDisposition Memorandum requires that no information is to remain on hard drives of\nunclassified IT equipment that are reused or permanently removed from DOD custody.\nAt 4 locations we identified 10 pieces of excess unclassified IT equipment that contained\nreadable information on hard drives. Specifically, the following pieces of excess\nunclassified IT equipment contained readable information.\n\n   \xef\x82\xb7   An electrocardiogram machine waiting to be shipped from the 436th Medical\n       Group at Dover Air Force Base (AFB), Delaware, to another Air Force\n       component contained the full names and Social Security numbers of three\n       patients. Officials told us that the electrocardiogram machine contained this\n       information because the 436th Medical Group personnel were unaware that some\n       medical equipment, such as electrocardiogram machines, contained hard drives.\n\n\n\n                                            4\n\x0c       The 436th Medical Group officials said they had not been properly trained to\n       sanitize all types of excess unclassified IT equipment.\n\n   \xef\x82\xb7   Five hard drives waiting to be shipped from the Naval Air Warfare Center\n       Aircraft Division (NAWCAD), Naval Air Station (NAS) Patuxent River,\n       Maryland, to a DRMS processing center contained readable information. One\n       computer contained information such as phone numbers, e-mail addresses, instant\n       messaging traffic, pictures, and various system log files. These hard drives\n       contained information because the Naval Air Systems Command (NAVAIR) and\n       NAWCAD had not adequately trained personnel responsible for sanitizing\n       equipment or developed site-specific policies that clearly defined sanitization and\n       disposal roles and responsibilities. For example, NAWCAD lab personnel had\n       not received formal training on degaussing equipment and, in one instance, used\n       an audio-video degausser to degauss hard drives.\n\n   \xef\x82\xb7   Three hard drives waiting to be redistributed from the 50th Space Communications\n       Squadron, Schriever AFB, Colorado, to another Schriever AFB command\n       contained personal user folders or default operating system information. The\n       information remained on the equipment because the 50th Space Communications\n       Squadron had not established and implemented a process ensuring that excess\n       unclassified IT equipment containing more than one hard drive was properly\n       sanitized. Two of the three hard drives that were not properly sanitized were\n       pulled from computers that housed more than one hard drive, and the equipment\n       custodian did not physically verify whether these computers contained more than\n       one hard drive. No explanation was available as to why the third hard drive had\n       not been properly sanitized.\n\n   \xef\x82\xb7   A hard drive sent from the U.S. Army Garrison West Point, New York, to a\n       DRMS processing center contained bytes of random characters. Officials told us\n       that this occurred because the U.S. Army Garrison West Point did not properly\n       train personnel. In addition, U.S. Army Garrison West Point did not follow\n       proper procedures by performing the required verification of sanitized excess\n       unclassified IT equipment before sending equipment to a DRMS processing\n       center.\n\nDuring our site visit in June 2008, the U.S. Army Corps of Engineers (USACE)\nLouisville District, Louisville, Kentucky, was properly sanitizing excess hard drives.\nHowever, in August 2008 the Director of Corporate Information instituted a new process\nfor the sanitization and disposal of USACE excess hard drives whereby a contractor\nphysically destroys them. The new process is outlined in the draft Army Corps of\nEngineers IT Standard Operating Procedure, \xe2\x80\x9cProcess for Hard Drive Destruction,\xe2\x80\x9d\nAugust 6, 2008. The Army Corps of Engineers IT Standard Operating Procedure\nrequires the physical destruction of hard drives to be conducted in accordance with Army\nRegulation 25-2, \xe2\x80\x9cInformation Assurance,\xe2\x80\x9d October 24, 2007. Yet whereas Army\nRegulation 25-2 requires all excess unclassified Army hard drives to be overwritten or\ndegaussed before leaving DOD custody, the Army Corps of Engineers IT Standard\n\n\n                                            5\n\x0cOperating Procedure does not require hard drives to be overwritten or degaussed before\nshipping to the contractor. As a result of changing the process, USACE cannot ensure\nDOD information is properly protected from unauthorized release.\n\nAs a result of these weaknesses, five DOD Components sent or were preparing to send\nexcess IT equipment containing DOD information (including personally identifiable\ninformation) to other Federal, DOD, or non-Federal organizations.\n\nDocumenting Sanitization of Excess Unclassified IT Equipment\nFive DOD Components did not properly complete documentation for excess unclassified\nIT equipment submitted to DRMS processing centers. The Disposition Memorandum\nstates that once sanitization has been carried out, a signed disposition label4 must be\nattached to the hard drive or the computer housing the hard drive. Disposition labels\nverify that the equipment was properly sanitized. The disposal turn-in documents\nprovide DRMS processing centers with key information needed to process excess\nequipment. During fieldwork we identified the following examples of the lack of\nsupporting documentation.\n\n    \xef\x82\xb7   USACE Louisville District did not accurately complete disposition labels for 4 of\n        the 10 computers sampled. Two disposition labels were missing the sanitization\n        date, one disposition label was missing the make and model, and the fourth\n        disposition label had no signature date. The disposition labels were not properly\n        completed because USACE Louisville District did not adequately train\n        responsible personnel to properly complete disposition labels.\n\n    \xef\x82\xb7   The U.S. Army Garrison West Point did not properly prepare disposition labels\n        for two of four excess unclassified hard drives. The hard drives did not have a\n        disposition label or did not have a properly prepared disposition label. One of\n        these computers contained information on its hard drive. Officials said the\n        disposition labels were not attached or were improperly prepared because the U.S.\n        Army Garrison West Point did not adequately train the responsible personnel to\n        attach or complete disposition labels.\n\n    \xef\x82\xb7   Two NAVAIR data centers and two labs located at NAS Patuxent River did not\n        complete disposition labels for excess unclassified IT equipment. This occurred\n        because personnel were not aware of the Disposition Memorandum requirements.\n        In addition, three NAWCAD computers were turned into the Naval Facilities\n        Engineering Command (NAVFAC) Property Disposal Office without disposal\n        turn-in documents. Furthermore, for one sampled computer, NAWCAD\n        personnel generated and submitted a duplicate disposal turn-in document number5\n\n\n4\n  See Appendix B for a more detailed description of a hard drive disposition label showing the types of\ninformation DOD Components frequently omitted.\n5\n  The disposal turn-in document number is a distinct 14-digit number that consists of the DOD activity\xe2\x80\x99s\nsix-digit DOD activity address code, four-digit Julian date, and four-digit serial number.\n\n\n\n                                                     6\n\x0c         to a DRMS processing center. The NAVFAC Property Disposal Office personnel\n         did not know which NAS Patuxent River activity had turned in three computers\n         without supporting documentation. Barcodes indicated that the computers\n         belonged to NAWCAD, but that was insufficient information to determine which\n         NAWCAD division owned the computers. Furthermore, NAWCAD personnel\n         created duplicate disposal turn-in document numbers because personnel used\n         different methods that did not interface to generate disposal turn-in document\n         numbers.\n\n    \xef\x82\xb7    The 108th Air Refueling Wing at McGuire AFB, New Jersey, did not attach or\n         fully complete disposition labels for 92 pieces of excess unclassified IT\n         equipment. Wing personnel did not attach disposition labels to 51 hard drives and\n         did not indicate the method of sanitization for 41 computer shells. They also did\n         not attach or complete disposition labels as required by the Disposition\n         Memorandum and Air Force System Security Instruction 5020, \xe2\x80\x9cCommunications\n         and Information Remanence Security,\xe2\x80\x9d April 17, 2003.\n\n    \xef\x82\xb7    The 50th Space Communication Squadron at Schriever AFB did not attach\n         disposition labels to six computers because personnel did not follow the\n         Disposition Memorandum or Air Force Instruction 5020, which require that a\n         disposition label be attached to the hard drive or the computer housing the hard\n         drive. We were told that the 50th Space Communications Squadron personnel\n         attach disposition labels only to computers being sent to DRMS processing\n         centers.\n\nIn addition, DRMS processing centers processed 108 out of 148 pieces of excess\nunclassified IT equipment without documentation that the equipment had been properly\nsanitized. Nine DRMS processing centers processed 41 pieces of equipment that did not\ninclude disposition labels, 64 pieces of equipment that had incomplete disposition labels,6\nand 3 pieces of equipment that had inaccurate disposition labels.7 Appendix B shows an\nexample of the disposition label highlighting the types of missing information. Officials\nsaid that DRMS processed excess unclassified IT equipment without supporting\ndocumentation because DRMS had experienced significant turnover in personnel and had\nnot trained new staff.\n\nSince five DOD Components did not properly complete supporting documentation and\nnine DRMS processing centers processed excess unclassified IT equipment without\nproper documentation, DOD was unable to ensure that information contained on excess\nunclassified IT equipment was properly protected from unauthorized release.\n\n\n6\n Incomplete disposition labels are labels that did not have the date and signature from the DOD\nComponent verifying that the hard drive was sanitized or did not state the method of sanitization.\n7\n Inaccurate disposition labels are labels that did not accurately reflect the equipment status (for example, a\ndisposition label stating that the hard drive was removed, attached to a computer in which the hard drive\nwas present).\n\n\n                                                      7\n\x0cAccounting for Excess Unclassified IT Equipment\nDOD Components did not account for excess unclassified hard drives after they were\nremoved from computer shells, nor did they account for other pieces of excess\nunclassified IT equipment throughout their life cycle. DOD Instruction 5000.64 requires\nthat excess unclassified IT equipment having a unit acquisition cost of $5,000 or more\nand assets that are sensitive be accounted for in an electronic record-keeping system until\nthe activity receiving the equipment confirms receipt of equipment in writing. This\nrequirement ensures that the information contained on the equipment is protected and the\nequipment itself is accounted for throughout its life cycle.\n\nAt 5 of the 15 locations visited, DOD personnel did not account for hard drives after they\nwere removed from computer shells. At 2 of the 15 locations, personnel did not account\nfor other pieces of excess IT equipment throughout their life cycle. Following are\nexamples of the accountability issues identified.\n\n   \xef\x82\xb7   USACE Louisville District did not account for 11 excess unclassified hard drives\n       after they were removed from their computer shells. USACE Louisville District\n       standard operating procedure did not include procedures to electronically account\n       for physically removed hard drives. For example, USACE did not have an\n       electronic log to document hard drives that were stockpiled and unable to be\n       properly sanitized.\n\n   \xef\x82\xb7   NAVAIR labs and data centers at NAS Patuxent River did not electronically\n       account for excess unclassified hard drives that had been removed from the\n       computer shells. Personnel were unaware that they needed to account for hard\n       drives removed from their computer shells. In addition, the NAWCAD Property\n       Management Team removed the equipment from the Navy Enterprise Resource\n       Planning system too early. The team should have waited to remove the\n       equipment from the system until they received documentation from DRMS stating\n       that the equipment had been received and processed. Instead, the NAWCAD\n       Property Management Team removed the equipment from the system when they\n       received a receipt from the NAVFAC Property Disposal Office.\n\n   \xef\x82\xb7   The 436th Medical Group at Dover AFB did not electronically account for\n       105 hard drives removed from their computer shells because personnel were\n       unaware that removed hard drives in the process of being degaussed needed to be\n       accounted for electronically.\n\n   \xef\x82\xb7   The 108th Air Refueling Wing at McGuire AFB did not account for 92 pieces of\n       excess unclassified IT equipment throughout their entire life cycle. Personnel\n       removed IT equipment from the electronic record-keeping system too early. The\n       92 pieces of excess unclassified IT equipment were removed from the electronic\n       record-keeping system when they were turned into the Communications Flight\n       Unit for sanitization and disposal instead of when DRMS received and processed\n       them.\n\n\n\n                                             8\n\x0c   \xef\x82\xb7   The 50th Space Communications Squadron at Schriever AFB did not\n       electronically account for hard drives removed from their computer shells because\n       personnel considered hard drives to be accounted for as part of the original\n       computer shell.\n\nDOD did not properly account for at least 208 pieces of excess unclassified IT equipment\nin an electronic record-keeping system because DOD Components did not consider\nphysically removed hard drives accountable assets. Therefore, personnel did not follow\nestablished criteria. As a result, DOD cannot ensure that excess unclassified IT\nequipment is accounted for or properly protected from unauthorized release. It is\nimperative that DOD Components account for excess unclassified IT equipment\nthroughout its life cycle to protect information on the equipment. For the same reason, it\nis critical to account for hard drives removed from their computer shells.\n\nDOD and Navy Sanitization Policies\nDOD Components are required to ensure the timely issuance and updating of policies\ngoverning DOD operations, functions, and programs. Specifically, Components are\nrequired to review existing policies periodically to determine whether the policies should\nbe updated, incorporated in or converted to a DOD issuance, reissued, or canceled. If\nDOD Component personnel fail to conduct the periodic reviews and updates, critical\npolicies may not provide the specific guidance needed to carry out DOD functions\neffectively.\n\nDOD Policy\nThe ASD(NII)/DOD CIO has not updated the Disposition Memorandum since it was\nissued in June 2001. The Disposition Memorandum\xe2\x80\x99s policies and procedures were\nintended to ensure that all hard drives contained in excess unclassified computers were\nproperly sanitized before being disposed of outside DOD. However, the Disposition\nMemorandum does not address other types of DOD information storage devices in use at\nthe time\xe2\x80\x94such as printers and fax machines\xe2\x80\x94nor has it been updated to include new\ninformation storage devices, such as thumb drives, compact discs, digital video devices,\nand digital data or voice recorders, which can also contain sensitive DOD information.\nThe failure to include all current types of information storage devices in the Disposition\nMemorandum creates vulnerability that these devices will not be properly sanitized of all\nsensitive information before disposal.\n\nFurthermore, DOD Instruction 5025.01, \xe2\x80\x9cDOD Directive Program,\xe2\x80\x9d October 28, 2007,\nrequires that a DOD Directive-Type Memorandum be incorporated in existing policy,\nconverted to a new policy, reissued, or canceled within 180 days of the issuance of the\nInstruction. The ASD(NII)/DOD CIO has not followed the Instruction.\n\nAn ASD (NII)/DOD CIO Senior Policy Analyst stated he had not updated the Disposition\nMemorandum because of the competing priorities of national security and scarce\nresources.\n\n\n\n                                            9\n\x0cNavy Policy\nThe Department of the Navy has not updated Navy-specific criteria for the sanitization\nand disposal of excess IT equipment to fully implement the Disposition Memorandum.\nNor has the Navy updated its instructions to include newer information storage devices\nsuch as thumb drives and digital video devices. The Deputy Chief of Naval Operations\nfor Communications Networks has not updated Navy Information Assurance\nPublication 5239-26 since it was issued in May 2000.8 The Navy Publication provides\ninstructions to Navy Components on:\n\n    \xef\x82\xb7   sanitization of electronic storage media for later reuse,\n    \xef\x82\xb7   methods for destruction of electronic storage media, and\n    \xef\x82\xb7   removal of external markings from electronic storage media.\n\nThe Disposition Memorandum outlines policies and procedures to ensure that hard drives\nin excess unclassified computers are properly sanitized before being disposed of outside\nof DOD. The Navy Publication includes the three sanitization methods outlined in the\nDisposition Memorandum, but does not require the completion and attachment of the\ndisposition label validating that the hard drive was sanitized. Also, the Navy Publication\ndoes not require the verification of overwriting, the method used to sanitize at least\n20 percent of the Navy\xe2\x80\x99s excess hard drives. Therefore, Navy Components were not\nrequired to include completed disposition labels or validate that sanitization had actually\noccurred before releasing the excess IT equipment for disposal outside DOD.\n\nAccording to an official from the Office of the Deputy Chief of Naval Operations for\nCommunications Networks, the Navy publication had not been updated because the Navy\nhad competing priorities and scarce resources.\n\nThe DOD Disposition Memorandum and Navy Publication 5239-26 are out-of-date and\ndo not contain requirements needed to address all types of information storage devices\nand to ensure these devices are sanitized and disposed of correctly to protect sensitive\ndata. The lack of specific, up-to-date guidance is contributing to DOD Components\xe2\x80\x99 not\nsanitizing and disposing of all types of IT equipment properly, including information\nstorage devices.\n\nCorrective Actions\nWe issued memoranda to Commander, 436th Medical Group, Dover AFB; Commander,\nU.S. Army Garrison West Point; Director of Information Management, U.S. Army\nGarrison West Point; Commander, 108th Air Refueling Wing, McGuire AFB;\nCommander, 108th Communications Flight; Commander, 108th Logistics Readiness\nSquadron; Commander, 50th Network Operations Group; Commander, 50th Space\n\n\n8\n  Army Regulation 25-1, \xe2\x80\x9cArmy Knowledge Management and Information Technology,\xe2\x80\x9d July 15, 2005,\nand Air Force System Security Instruction 5020, \xe2\x80\x9cCommunications and Information Remanence Security,\xe2\x80\x9d\nApril 17, 2003, both incorporate the requirements of the Disposition Memorandum. In addition, both\ninstructions include guidance on the sanitization of new types of information storage devices.\n\n\n                                                 10\n\x0cCommunications Squadron, Schriever AFB; Commander, Naval Air Systems Command\nPatuxent River; Commander, Naval Air Warfare Center Aircraft Division, and Deputy\nPublic Works Officer, Naval Facilities Engineering Command. See Appendix C for the\nfull text of the five memoranda. The memoranda provided feedback on areas of concern\nthat needed management\xe2\x80\x99s immediate attention. DOD Components have taken\npreliminary steps to correct weaknesses identified; however, additional work is needed.\nThe additional work needed is addressed in our recommendations.\n\nActions to Improve Information Security\nAs a result of the audit, the Components recognized the need to adequately sanitize IT\nequipment, train personnel, and establish written policies and procedures. Since our site\nvisits, officials have taken the following steps to strengthen the sanitization and disposal\nprocess.\n\n   \xef\x82\xb7   As of November 2008, the USACE Louisville District required the completion\n       and attachment of a property control receipt and a disposition label to all excess\n       computers and hard drives removed from their computer shells.\n\n   \xef\x82\xb7   The U.S. Army Garrison West Point has established policy that outlines\n       procedures for proper sanitization of excess unclassified IT equipment.\n       According to the Garrison Commander, the policy will identify organizational\n       responsibilities and training requirements. The Directorate of Information\n       Management will provide the training, and has scheduled training on the\n       sanitization and disposal of information storage devices for the third quarter of\n       FY 2009. Finally, the Director of the Internal Review and Audit Compliance\n       Office at West Point plans to conduct a compliance review during the third\n       quarter of FY 2009.\n\n   \xef\x82\xb7   According to the Commander, Naval Air Systems Command, NAWCAD intends\n       to coordinate with the NAVAIR Chief Information Officer to develop appropriate\n       processes and procedures relating to sanitization and disposal of excess IT\n       equipment and will use only one system to generate disposal turn-in documents.\n       However, they do not believe that the ETID system will be the one. In addition,\n       the NAVFAC Deputy Public Works Officer at NAS Patuxent River has started\n       updating written policy to clarify the process for sanitizing and disposing of\n       excess IT equipment.\n\n   \xef\x82\xb7   The Commander, 436th Medical Group, Dover AFB, implemented a process in\n       July 2008 to check medical equipment for embedded hard drives and remove\n       personally identifiable information before sending the equipment to DRMS\n       processing centers. All biomedical equipment repair technicians and medical\n       information systems technicians at the 436th Medical Group have been trained on\n       the new procedures for removing and degaussing equipment and using authorized\n       overwriting software to clean hard drives. In addition, the 436th Medical Group\n       asked the Air Force Medical Logistics Office to include the new procedures in the\n       Air Force Instruction governing medical equipment maintenance and repair.\n\n\n                                             11\n\x0c   \xef\x82\xb7   The 108th Communications Flight, McGuire AFB is now completing and\n       attaching disposition labels to the outside of excess computers and hard drives\n       removed from their computer shells.\n\n   \xef\x82\xb7   The Commander, 50th Network Operations Group, and the 50th Communications\n       Squadron, Schriever AFB, are implementing requirements to verify the number of\n       hard drives in an IT unit when the equipment is turned in. The two units are also\n       developing sanitization training, purchasing degaussing equipment, and updating\n       current procedures to incorporate the requirements in Air Force System Security\n       Instruction 8580. According to the lead equipment custodial officer, since June\n       2008, personnel from the 50th Network Group and the 50th Communications\n       Squadron have been completing and attaching disposition labels to IT equipment\n       being sanitized and reused within the 50th Network Operation Group and the\n       50th Communications Squadron.\n\n   \xef\x82\xb7   According to DRMS personnel, DRMS is revising the Compliance Assessment\n       Program to address the proper process for receiving computer hard drives.\n       DRMS is developing a new training course called \xe2\x80\x9cGuidance for Computers, Hard\n       Drives, Electronic Test Equipment, Cell Phones, Fax Machines, Printers, and\n       Land Mobile Radios.\xe2\x80\x9d Furthermore, management at the DRMS Mechanicsburg\n       processing center immediately held a stand-down with all receiving employees to\n       provide remedial refresher training reiterating the instructions for the proper\n       processing of computers.\n\nThese DOD Components have taken corrective action to address some of the internal\ncontrol weaknesses identified during the audit; therefore, we are not making\nrecommendations related to the corrective actions taken.\n\nActions to Improve Property Accountability\nAs a result of our audit, the Commander, 108th Communications Flight, recognized the\nneed to properly account for excess unclassified IT equipment. The\n108th Communications Flight, McGuire AFB, created an additional equipment custodian\naccount in the Information Technology Automated Management System to maintain\n100-percent accountability for customer turned-in IT equipment that is considered excess.\nIn addition, the 108th Communications Flight unit developed an Excel spreadsheet\napplication to maintain 100-percent accountability for hard drives that are removed from\ncomputers or laptops. Therefore, we are not making a recommendation to the\nCommander, 108th Communications Flight, on these issues.\n\nActions to Improve Physical Protection of Excess Hard Drives\nDuring the audit, we informed the Commander, 108th Communications Flight, of the lack\nof sufficient physical protection for excess hard drives removed from computer shells.\nAlthough the Commander, 108th Communication Flight, felt physical security measures\nwere sufficient, he agreed to improve the physical protection of excess hard drives. Since\nour site visit, the 108th Communications Flight, purchased locks for the storage containers\n\n\n                                            12\n\x0cthat housed the excess hard drives, and personnel label the storage containers to indicate\nwhich hard drives are awaiting sanitization and which ones are sanitized. Therefore, we\nare not making a recommendation to the Commander, 108th Communications Flight, on\nthis issue.\n\nConclusion\nThe six DOD Components visited or contacted did not properly sanitize, document, or\nfully account for excess unclassified IT equipment before it was released to other Federal,\nDOD, or non-Federal organizations. Also, eight of the nine DRMS processing centers\nvisited processed excess unclassified IT equipment without documentation that the\nequipment was properly sanitized. Action has been taken to correct some of the\nproblems identified during the audit. Implementing the following recommendations will\nfurther improve DOD sanitization and disposal processes for excess unclassified IT\nequipment and ensure that all problems identified are corrected.\n\nRecommendations, Management Comments, and Our\nResponse\n1. We recommend that the Assistant Secretary of Defense (Networks and\nInformation Integration)/DOD Chief Information Officer, in accordance with DOD\nInstruction 5025.01, \xe2\x80\x9cDOD Directive Program,\xe2\x80\x9d October 28, 2007, update the\nmemorandum, \xe2\x80\x9cDisposition of Unclassified DOD Computer Hard Drives,\xe2\x80\x9d June 4,\n2001 (Disposition Memorandum), to incorporate guidelines for sanitizing and\ndisposing of all types of information technology equipment, including other\ninformation storage devices. When updating the Disposition Memorandum, the\nAssistant Secretary of Defense (Networks and Information Integration)/DOD Chief\nInformation Officer should consider the requirements outlined in National Institute\nof Standards and Technology Special Publication 800-88, \xe2\x80\x9cGuidelines for Media\nSanitization,\xe2\x80\x9d September 2006.\n\nAssistant Secretary of Defense (Networks and Information\nIntegration)/DOD Chief Information Officer Comments\nThe Principal Director to the Deputy Assistant Secretary of Defense for Cyber,\nInformation, and Identity Assurance, responding for the Assistant Secretary of Defense\n(Networks and Information Integration)/DOD Chief Information Officer, agreed. He\nstated the Disposition Memorandum will be updated and incorporated in DOD\nDirective 8500.01E, \xe2\x80\x9cInformation Assurance,\xe2\x80\x9d October 24, 2002, certified current as of\nApril 23, 2007, and DOD Instruction 8500.2, \xe2\x80\x9cInformation Assurance Implementation,\xe2\x80\x9d\nFebruary 6, 2003, by the end of 2009.\n\nOur Response\nThe comments of the Principal Director were responsive. No additional comments are\nrequired.\n\n\n\n\n                                            13\n\x0c2. We recommend that the Director of Corporate Information, U.S. Army Corps of\nEngineers, reinstitute overwriting or degaussing of hard drives before shipping the\nhard drives to the contractor.\n\nU.S. Army Corps of Engineers Comments\nThe Director of Corporate Information, USACE, agreed with comments on the disposal\nprocedures. The Director stated that the procedures for shipping hard drives had been\nsuspended pending the audit finding but have since been revised. The Director stated that\nthe excess hard drives are being shipped for destruction to a facility approved by the U.S.\nGeneral Services Administration and are not being released for reuse. Therefore, he\nasserted that neither overwriting nor degaussing the hard drives is required under DOD\nregulations. In addition, the Director stated that controls and oversight were in place to\nprotect the information contained on these unclassified hard drives during transport.\nAccording to the Director, because of personnel and funding constraints, USACE has\nchosen to destroy the hard drives at a facility rather than onsite. Finally, the Director\nstated that the revised procedures comply with Army Regulations, protect the information\ncontained on the hard drives, and are cost-effective. These revised procedures were to be\nin place by August 30, 2009.\n\nOur Response\nThe comments of the Director of Corporate Information, USACE, were partially\nresponsive. We agree that USACE had suspended shipping hard drives to destruction\nfacilities. Also, we commend the USACE for the additional controls put in place when\ntransporting the hard drives for destruction at an approved facility. However, if USACE\ndoes not, at a minimum, overwrite the hard drives that are to be removed from service\nbefore transporting them for destruction, the USACE procedures do not meet the\nrequirements outlined in Section 3.1.1 of the Disposition Memorandum. Section 3.1.1\nrequires hard drives to be overwritten before reuse or removal from service. If the hard\ndrives are to be removed from service, the hard drives are also required to be degaussed\nor destroyed. Sensitive data, such as personally identifiable information, could be\ncompromised during the storage and transportation of the hard drives\xe2\x80\x94especially since\nthe hard drives are leaving DOD custody. If Section 3.1.1 is followed and the hard drives\nare overwritten by the user as required, there should be no readable data on the hard\ndrives to be compromised. Therefore, we do not believe that the USACE procedures\nfully meet the requirements of Section 3.1.1. We request that the Director of Corporate\nInformation, USACE, reconsider his position on the recommendation and provide\nadditional comments in response to the final report.\n\n3. We recommend that the Navy Chief Information Officer establish and implement\nguidelines for sanitizing and disposing of all types of information technology\nequipment including other information storage devices in accordance with current\nand future sanitization and disposal policy issued by the Assistant Secretary of\nDefense (Networks and Information Integration)/DOD Chief Information Officer.\nWhen establishing and implementing guidelines, the Navy Chief Information\n\n\n\n\n                                            14\n\x0c Officer should consider the requirements outlined in National Institute of\nStandards and Technology Special Publication 800-88, \xe2\x80\x9cGuidelines for Media\nSanitization,\xe2\x80\x9d September 2006.\n\nDepartment of the Navy Comments\nThe Navy Chief Information Officer agreed. The Acting Deputy Chief Information\nOfficer stated that the Chief Information Officer will coordinate and establish the\nrecommended policy within the Department, including the Navy, Marine Corps, and the\nChief of Naval Operations Special Assistant for Security, with an estimated completion\ndate of December 30, 2009.\n\nOur Response\nThe comments of the Acting Deputy Chief Information Officer were responsive, and no\nadditional comments are required.\n\n4. We recommend that the Deputy Chief of Naval Operations for Communications\nNetworks update Navy Information Assurance Publication 5239-26, \xe2\x80\x9cRemanence\nSecurity Guidebook,\xe2\x80\x9d May 2000, to comply with the current version of the\nDisposition Memorandum, \xe2\x80\x9cDisposition of DOD Computer Hard Drives,\xe2\x80\x9d June 4,\n2001, and any updates coming out of Recommendation 1.\n\nDepartment of the Navy Comments\nThe Navy Chief Information Officer and the Deputy Chief of Naval Operations for\nCommunications Networks agreed. The Acting Deputy Chief Information Officer stated\nthat the Deputy Chief of Naval Operations for Communications Networks will work with\nthe Acting Deputy Chief Information Officer to release guidance that addresses the\nweaknesses identified in this report. The estimated release date for the new guidance is\nDecember 30, 2009. Furthermore, the Deputy Chief of Naval Operations for\nCommunications Networks will coordinate and update Navy Information Assurance\nPublication 5239-26, \xe2\x80\x9cRemanence Security Guidebook,\xe2\x80\x9d May 2000, to fully implement\nthe Disposition Memorandum, \xe2\x80\x9cDisposition of DOD Computer Hard Drives,\xe2\x80\x9d June 4,\n2001; include additional types of electronic storage devices; and consider National\nInstitute of Standards and Technology Special Publication 800-88, \xe2\x80\x9cGuidelines for Media\nSanitization,\xe2\x80\x9d September 2006. She estimated the update of Navy Information Assurance\nPublication 5239-26 will be completed by January 29, 2010.\n\nOur Response\nThe comments of the Acting Deputy Chief Information Officer and the Deputy Chief of\nNaval Operations for Communications Networks were responsive, and no additional\ncomments are required.\n\n5. We recommend that the Commander of the U.S. Army Corps of Engineers\nLouisville District:\n\n       a. Account for all hard drives removed from their computer shells.\n\n\n\n                                          15\n\x0c        b. Account for hard drives removed from their computer shells that contain\nsensitive information in an electronic record-keeping system as required by DOD\nInstruction 5000.64, \xe2\x80\x9cAccountability and Management of DOD Owned Equipment\nand Other Accountable Property,\xe2\x80\x9d November 2, 2006.\n\nU.S. Army Corps of Engineers Louisville District Comments\nThe Commander, USACE Louisville District, agreed. He stated that the Louisville\nDistrict has implemented corrective actions to account for the hard drives of any\ncomputers that are not a part of the Army Corps of Engineers IT refresher program.\nSpecifically, the USACE Louisville District will attach a disposition label and property\ncontrol receipt to all excess computers and hard drives. Further, if guidance for the Army\nCorps of Engineers IT refresher program is not provided by headquarters, the USACE\nLouisville District will store the equipment until guidance is provided. Finally, the\nUSACE Louisville District has implemented an electronic record-keeping system to track\nequipment that contains sensitive information in accordance with DOD\nInstruction 5000.64, \xe2\x80\x9cAccountability and Management of DOD Owned Equipment and\nOther Accountable Property,\xe2\x80\x9d November 2, 2006.\n\nOur Response\nThe comments of the Commander, USACE Louisville District, are generally responsive.\nWe agree with the corrective actions that are planned. However, the Commander did not\nprovide estimated completion dates for the corrective actions. Also, for\nRecommendation 5.b, the Commander did not indicate which electronic record-keeping\nsystem would be used to track hard drives containing sensitive information that are\nremoved from their computer shells. The only additional comments needed are the\nestimated dates of completion for these actions and the electronic record-keeping system\nthat will be used to track the hard drives.\n\n6. We recommend that the Commander of the Naval Air Warfare Center Aircraft\nDivision:\n\n       a. Require all personnel responsible for sanitization and disposal to comply\nwith the memorandum, \xe2\x80\x9cDisposition of Unclassified DOD Computer Hard Drives,\xe2\x80\x9d\nJune 4, 2001, and any future updates.\n\n       b. Account for all hard drives removed from their computer shells.\n\n        c. Account for hard drives removed from their computer shells that contain\nsensitive information in an electronic record-keeping system as required by DOD\nInstruction 5000.64, \xe2\x80\x9cAccountability and Management of DOD Owned Equipment\nand Other Accountable Property,\xe2\x80\x9d November 2, 2006.\n\n       d. Remove excess information technology equipment from the Navy\nEnterprise Resource Planning System only after obtaining an official receipt from\nthe Defense Reutilization and Marketing Service processing center, as required by\n\n\n                                           16\n\x0cDOD Instruction 5000.64, \xe2\x80\x9cAccountability and Management of DOD Owned\nEquipment and Other Accountable Property,\xe2\x80\x9d November 2, 2006.\n\nDepartment of the Navy Comments\nThe Navy Chief Information Officer and the Commander of the Naval Air Warfare\nCenter Aircraft Division agreed with Recommendation 6.a. Specifically, the Commander\nstated that personnel responsible for the disposal of hard drives would be trained to\nensure compliance with the Disposition Memorandum, \xe2\x80\x9cDisposition of DOD Computer\nHard Drives,\xe2\x80\x9d June 4, 2001. The estimated completion date for the training is\nNovember 30, 2009.\n\nThe Navy Chief Information Officer and the Commander of the Naval Air Warfare\nCenter Aircraft Division agreed with Recommendations 6.b and 6.c. The Commander\nstated that the division will perform an evaluation of existing electronic systems or\ndevelop a new system to electronically account for all hard drives removed from their\ncomputer shells. In addition, he stated the division will no longer use the National\nSecurity Agency to destroy hard drives, but will coordinate disposal of excess hard drives\nwith the Defense Reutilization Marketing Service. The Commander estimated that these\nactions will be completed by December 31, 2009.\n\nThe Navy Chief Information Officer and the Commander of the Naval Air Warfare\nCenter Aircraft Division agreed with Recommendation 6.d. According to the\nCommander, the Property Management Team will remove excess IT equipment from the\nNavy Enterprise Resource Planning System once it receives a stamped DD 1348 from\nNaval Facilities Engineering Command\xe2\x80\x99s Property Disposal Office. In addition, the\nProperty Management Team will continue to use the Naval Air Warfare Center Aircraft\nDivision Excess Asset Form to ensure IT equipment is properly sanitized before release.\nAccording to the Commander of the Naval Air Warfare Center Aircraft Division, the\nrequired documentation takes years to be received from DRMS processing centers.\n\nOur Response\nThe comments of the Navy Chief Information Officer and Commander of the Naval Air\nWarfare Center Aircraft Division were responsive on Recommendations 6.a, 6.b, and 6.c,\nand no additional comments are required. However, the comments on\nRecommendation 6.d were nonresponsive, for the following reasons.\n\nThe internal controls described by the Commander as having been instituted to\nimplement Recommendation 6.d are the current procedures, rather than revised\nprocedures. Therefore, the procedures as stated will continue to result in the same\nproblems described in this report, problems that resulted in Recommendation 6.d.\n\nIf it removes excess IT equipment from the system when a stamped DD 1348 is received\nfrom the Naval Facilities Engineering Command Property Disposal Office, the Property\nManagement Team will continue to remove excess IT equipment from the Navy\nEnterprise Resource Planning System prematurely, leaving equipment unaccounted for.\nThe Property Disposal Office does not account for excess information technology\n\n\n                                            17\n\x0cequipment dropped off at its office, but merely operates as a holding facility and forwards\nequipment to the processing centers for disposal. Therefore, using documentation\nsupplied by the Property Disposal Office to record disposal and removal of the IT\nequipment from the Navy Enterprise Resource Planning System is inaccurate and leaves\nthe IT equipment unaccounted for until it reaches its final destination\xe2\x80\x94the Defense\nReutilization and Marketing Service. The Property Management Team is responsible for\nthe management, tracking, reutilization, and disposition of all plant and minor property\nand for ensuring equipment is appropriately and accurately accounted for until disposal.\n\nWith regard to the Defense Reutilization and Marketing Service\xe2\x80\x99s processing centers\xe2\x80\x99\ntaking years to forward disposal information, the Web Enabled Document Conversion\nSystem (Web DOCS) was developed to provide electronic receipts for DOD\nComponents. Web DOCS is a worldwide, Web-based system designed to provide an\naudit trail for DD 1348 documents. The system serves as the official record for turn-ins\nand is used to review and retrieve data and images. Customers can immediately retrieve\nan electronic image of a processed DD 1348. The Property Management Team can use\nWeb DOCS to pull the required documentation for excess IT equipment and properly\nremove the equipment from the Navy Enterprise Resource Planning System.\n\nWe request that the Navy Chief Information Officer and the Commander of the Naval Air\nWarfare Center Aircraft Division reconsider their position on Recommendation 6.d and\nprovide additional comments in response to the final report.\n\n7. We recommend that the Commander, 436th Medical Group, Dover Air Force\nBase, and the Commander, 50th Space Communications Squadron, Schriever Air\nForce Base:\n\n       a. Account for all hard drives removed from their computer shells.\n\n        b. Account for hard drives removed from their computer shells that contain\nsensitive information in an electronic record-keeping system as required by DOD\nInstruction 5000.64, \xe2\x80\x9cAccountability and Management of DOD Owned Equipment\nand Other Accountable Property,\xe2\x80\x9d November 2, 2006.\n\n\nManagement Comments Required\nThe Commander, 436th Medical Group, Dover Air Force Base, and the Commander,\n50th Space Communications Squadron, Schriever Air Force Base, did not provide\ncomments on the draft report. We request that the Commanders provide comments on\nthe final report.\n\n\n\n\n                                            18\n\x0cAppendix A. Scope and Methodology\nWe conducted this performance audit from November 2007 through June 2009 in\naccordance with generally accepted government auditing standards. Those standards\nrequire that we plan and perform the audit to obtain sufficient, appropriate evidence to\nprovide a reasonable basis for our findings and conclusions based on our audit objectives.\nWe believe that the evidence obtained provides a reasonable basis for our findings and\nconclusions based on our audit objectives.\n\nWe conducted this audit to determine whether DOD sanitized and disposed of excess\nunclassified IT equipment in accordance with Federal and DOD requirements. We tested\nthe following to answer the audit objective.\n\n   \xef\x82\xb7   Information Security: We determined whether DOD Components had properly\n       sanitized and properly prepared documentation for the excess IT equipment\n       before forwarding it to the DRMS processing centers. In addition, we determined\n       whether DRMS processing centers confirmed proper documentation of excess IT\n       equipment before processing it. We used the Disposition Memorandum as the\n       criteria to evaluate the internal control related to information security.\n\n   \xef\x82\xb7   Physical Security: We determined whether DOD Components and the DRMS\n       processing centers implemented appropriate internal controls to protect equipment\n       from pilferage. We used DOD Instruction 5200.08-R, \xe2\x80\x9cPhysical Security\n       Program,\xe2\x80\x9d April 9, 2007 as the criteria to evaluate the internal control related to\n       physical security.\n\n   \xef\x82\xb7   Property Accountability: We determined whether DOD Components and DRMS\n       processing centers properly accounted for IT equipment throughout its life cycle.\n       We used DOD Instruction 5000.64 as the criteria to evaluate the internal control\n       related to property accountability.\n\nWe accomplished the audit in two phases. In the first phase, we determined whether the\nDRMS disposed of excess unclassified IT equipment in accordance with DOD\nrequirements. During this phase we visited DRMS headquarters, nine DRMS processing\ncenters, and two DRMS contractors\xe2\x80\x99 locations from January through March 2008. In the\nsecond phase, we determined whether DOD Components properly safeguarded sensitive\ninformation residing on excess DOD IT equipment by properly sanitizing and accounting\nfor IT equipment before forwarding it to DRMS.\n\n\n\n\n                                           19\n\x0cFrom June through July 2008, we visited six DOD Components:\n\n   \xef\x82\xb7   USACE Louisville District;\n\n   \xef\x82\xb7   NAS Patuxent River;\n\n   \xef\x82\xb7   436th Medical Group, Dover AFB;\n\n   \xef\x82\xb7   108th Air Refueling Wing, McGuire AFB;\n\n   \xef\x82\xb7   21st Space Wing Command, Peterson AFB, Colorado; and\n\n   \xef\x82\xb7   50th Space Communications Squadron, Schriever AFB.\n\nWe selected a non-statistical sample of 543 out of 4,105 pieces of excess unclassified IT\nequipment. The sample included laptop hard drives, desktop hard drives, digital systems,\nand an electrocardiogram machine. To evaluate the controls exercised over excess DOD\nIT equipment at each DOD Component, we reviewed inventory records and sanitization\nand disposition documentation, and we interviewed personnel with DRMS and other\nDOD organizations. In addition, using forensic software we tested excess hard drives to\nensure that all data had been removed. If not, we determined what type of data remained.\nDuring Phase I, however, we tested hard drives at only two of the nine DRMS processing\ncenters because of lack of testing equipment. Finally, we evaluated the sufficiency of\nphysical controls over the excess IT equipment at each location visited.\n\nUse of Computer-Processed Data\nWe relied on computer-processed data extracted from the Defense Reutilization and\nMarketing Automated Information System, Management Information Distribution and\nAccess System, Asset Inventory Management System, and the Automated Personal\nProperty Management System. We did not find significant errors between the computer-\nprocessed data and source documents that would preclude use of the computer-processed\ndata to meet the audit objectives or that would change the conclusions in this report.\nThrough existence and completion testing, we determined that the Defense Reutilization\nand Marketing Automated Information System, Management Information Distribution\nand Access System, Asset Inventory Management System, and Automated Personal\nProperty Management System data sources reliable. We did not perform tests on the\ncontrols in place for the system, but validated the accuracy of the data extracted from\neach system with other documentation and the results of our existence and completion\ntesting (book-to-floor and floor-to-book tests).\n\nUse of Technical Assistance\nWe obtained technical assistance from two IT specialists from the DOD Office of\nInspector General, Information Systems Directorate. The IT specialists accompanied the\naudit team to the Mechanicsburg and Wright-Patterson DRMS processing centers and to\nDover AFB to test processed DOD unclassified hard drives. For the remaining sites, the\n\n\n                                           20\n\x0cInformation Systems Directorate provided the audit team with IT forensic equipment and\nhands-on training to test hard drives to determine whether equipment still contained\nreadable information. If information was found on a piece of equipment, the IT specialist\nanalyzed the information to determine whether it was readable and what type of\ninformation it was.\n\nPrior Coverage\nDuring the last 5 years, the Department of Defense Office of Inspector General (DOD\nIG), Naval Audit Service, and the Air Force Audit Agency have issued four reports\ndiscussing sanitizing, disposing of, and accounting for excess IT equipment in\naccordance with Federal and DOD security and environmental laws and regulations.\nUnrestricted DOD IG reports can be accessed at\nhttp://www.DODig.mil/Audit/reports/index.html. Air Force Audit Agency reports can be\naccessed from .mil domains over the Internet at\nhttps://afkm.wpafb.af.mil/ASPs/CoP/OpenCoP.asp?Filter=OO-AD-01-41 by those with\nCommon Access Cards.\n\nDOD IG\nDOD Report No. D-2008-114, \xe2\x80\x9cAccountability for Defense Security Service Assets With\nPersonally Identifiable Information,\xe2\x80\x9d July 24, 2008\n\nNaval Audit Service\nReport No. N2009-0014, \xe2\x80\x9cControl over Wireless Devices at Selected Commander, Navy\nInstallations Command and Naval Facilities Engineering Command Activities,\xe2\x80\x9d\nDecember 17, 2008 (For Official Use Only)\n\nReport No N2009-0027, \xe2\x80\x9cProcessing of Computers and Hard Drives During the Navy\nMarine Corps Intranet (NMCI) Computer Disposal Process,\xe2\x80\x9d April 28, 2009 (For Official\nUse Only)\n\nAir Force Audit Agency\nAir Force Audit Agency Report No. F2005-0008-FC4000, \xe2\x80\x9cDemilitarization Process,\xe2\x80\x9d\nSeptember 8, 2005\n\n\n\n\n                                           21\n\x0cAppendix B. Label Certifying Hard Drive\nDisposition\n\nDOD Components are required by the Disposition Memorandum to complete and attach\nthe Certification of Hard Drive Disposition label to the hard drive or the computer\nhousing the hard drive. The signed label certifies that the hard drive has no readable\ninformation on it. We have indicated examples of the types of information missing from\nthe labels included in our review.\n\n\n\n\n                                          22\n\x0cAppendix C. Immediate Action Memoranda to\nDOD Components\n\n\n\n\n                    23\n\x0c24\n\x0c25\n\x0c26\n\x0c27\n\x0c28\n\x0c29\n\x0c30\n\x0c31\n\x0c32\n\x0c33\n\x0c34\n\x0c35\n\x0c36\n\x0c37\n\x0cAssistant Secretary of Defense (Networks and Information\nIntegration)/DOD Chief Information Officer\nComments\n\n\n\n\n                             38\n\x0cDepartment of the Navy Chief Information Officer Comments\n\n\n\n\n                            39\n\x0c40\n\x0c41\n\x0c42\n\x0cU.S. Army Corps of Engineers Directorate of Corporate\nInformation Comments\n\n\n\n\n                             43\n\x0cU.S. Army Corps of Engineers Louisville District Comments\n\n\n\n\n                             44\n\x0c45\n\x0c\x0c"